A framework for the extended evaluation of ABAC policies

Charles Morisset,Tim A C Willemse,Nicola Zannone

doi:10.1186/s42400-019-0024-0

Charles Morisset, Tim A C Willemse + Show 1 more

Open Access

https://doi.org/10.1186/s42400-019-0024-0

Copy DOI

Abstract

A main challenge of attribute-based access control (ABAC) is the handling of missing information. Several studies have shown that the way standard ABAC mechanisms, e.g. based on XACML, handle missing information is flawed, making ABAC policies vulnerable to attribute-hiding attacks. Recent work has addressed the problem of missing information in ABAC by introducing the notion of extended evaluation, where the evaluation of a query considers all queries that can be obtained by extending the initial query. This method counters attribute-hiding attacks, but a naïve implementation is intractable, as it requires an evaluation of the whole query space. In this paper, we present a framework for the extended evaluation of ABAC policies. The framework relies on Binary Decision Diagram (BDDs) data structures for the efficient computation of the extended evaluation of ABAC policies. We also introduce the notion of query constraints and attribute value power to avoid evaluating queries that do not represent a valid state of the system and to identify which attribute values should be considered in the computation of the extended evaluation, respectively. We illustrate our framework using three real-world policies, which would be intractable with the original method but which are analyzed in seconds using our framework.

Highlights

Attribute-Based Access Control (ABAC) is emerging as the de facto paradigm for the specification and enforcement of access control policies
attribute-based access control (ABAC) provides a powerful paradigm for access control, ABAC systems require that all the information necessary for policy evaluation is available to the policy decision point, which might be difficult to achieve in modern systems
Analysis of extended evaluation function ⋅ E: For each dataset, Table 6 shows the size of the binary decision diagram (BDD) obtained using the simplified evaluation function ⋅ B presented in “ABAC evaluation” section, and the size of the BDDs obtained using the extended evaluation function ⋅ E with and without constraints

Summary

Introduction

Attribute-Based Access Control (ABAC) is emerging as the de facto paradigm for the specification and enforcement of access control policies. In ABAC, policies and access requests are defined in terms of attribute namevalue pairs. This provides an expressive, flexible and scalable paradigm that is able to capture and manage authorizations in complex environments. ABAC provides a powerful paradigm for access control, ABAC systems require that all the information necessary for policy evaluation is available to the policy decision point, which might be difficult to achieve in modern systems. Recent years have seen the emergence of authorization mechanisms that go beyond the view of a centralized monitor with full knowledge of the system. Authorization mechanisms increasingly rely on external services to gather the information necessary for access decision making

Results

Discussion

Conclusion